The use oriented IT services to users is offered by cloud computing. Two of the outstanding advantages are the large storage space and the strong computing power for cloud computing. Nowadays, with the development of cloud computing persons gradually have gotten accustomed to store their pictures, contacts or some other files to the cloud servers. Meanwhile, strong computing power is also utilized by persons or companies. For the convenience of people’s daily life, many novel applications are proposed in cloud computing.

On the one hand, cloud users/terminals can save their cost via outsourcing their data storage or computation to the cloud servers, while the cloud users/terminals are only viewed as “devices” of input and output. On the other hand, a user’s data are out of control by herself/himself, how to protect the users’ privacy is a key issue in academia and industry. Thus a sequence of security issues is considered, such as remotely auditing [1], [2], outsourcing computation [3], outsourcing verification [4] and keyword searching [5]. Although various cryptographic skills and methods were put forward, attribute-based encryption (ABE) [6], a fine-grained and flexible scheme for access structure becomes one of the most hot notions to be researched in cloud computing.

ABE put forward by Sahai and Waters [6], was taken into account an extended version of notion of identity-based encryption (IBE). It is efficient to perform one-to-many encryption model but other than broadcast encryption. Lately, according to the access control policy deploying, ABE schemes were categorized two distinct types, key-policy ABE (KP-ABE) [7] and ciphertext-policy ABE (CP-ABE) [8]. However, one main barrier is that the decryption cost of these ABE schemes is very high. Because the user’s decryption cost and the ciphertext’s length linearly grow with the access policy’s complexity. It has become a critical obstacle for various applications in cloud computing, such as the applications on wireless sensor, smart phone.

In order to reduce the computation cost of ABE’s decryption algorithm and use powerful computational capability of the cloud server or some proxies, Green et al. [9] presented the notion of ABE with outsourced decryption (ABE-OD), which was called GHW method. A user need spend a small cost decrypting a ciphertext via a cloud server completes a large number of computation in their scheme. That is to say, the cloud server first outputs a transformed ciphertext by computing a delegated transformation key and the original ciphertext, and next the user can obtain the corresponding plaintext via computing “decryption” algorithm. While for security consideration, the ABE-OD scheme at the outsourcing process couldn’t leak any information about the plaintext. However, there are two other issues they didn’t solve in their ABE-OD scheme. One is that there is no mechanism to ensure the transformed ciphertext’s correctness. The other is that the authority needs to firstly generate user’s private key and then generate user’s transformation key (the private key cannot be used any longer), which causes the scheme isn’t fine-grained for user and increments the overhead of the authority.

To solve these problems, Lai et al. [10] used the GHW method to construct an ABE-OD scheme called verifiable outsourced decryption of ABE (ABE-VOD), which can verify the transformed ciphertext’s correctness by a proxy or the cloud server. A random message and a plaintext are encrypted and meanwhile generated a commitment by the data owner in their ABE-VOD scheme. While the data receiver can make use of her/his private key to create a retrieving key and a transformation key which is utilized to produce a transformed ciphertext. In their decryption algorithm or outsourced decryption algorithm, the commitment is to make use of checking the generated transformed ciphertext’s correctness. When the attributes set meets the ciphertext’s access structure, the user is able to verify the transformed ciphertext’s correctness. The model of their ABE-OD is described in FIGURE 1. Subsequently, relying on distinct scenarios or different correctness-checking methods, several ABE-VOD schemes were presented [11]–​[29], while all these schemes used the GHW skill to design the outsourced decryption. Although Qin et al. [30] and Zhao and Wang [21] also put forward ABE-VOD schemes, they required the authority to produce the transformation key. Xu et al. [31] constructed an ABE-VOD scheme from multilinear map [32] that is secure based on $k$ -multilinear Decisional Diffie-Hellman problem. However, Hu and Jia [33] showed that construction of the multilinear map [32] is not secure.

FIGURE 1.

Architecture for ABE-OD.

Show All

Arbitrary usage of cloud computing can lead to uneconomical energy consumption in data storage, processing and communication. Hence, green cloud computing solutions aim not only to save energy but also reduce operational costs and carbon footprints on the environment [34].

While green computing is the atmosphere conscientious and recyclable utility of resources [35]. The green cloud networks can reduce their energy requirements by adapting their performance when it deploys, manages and provides the services [36].

A. Motivation

It is the key technique for implementing the green cloud computing to reuse the resource and reduce the total energy consumption on the condition of guaranteeing the quality of service for performing the same task.

We analyze the outsourced decryption model proposed by Lai et al. [10] in the FIGURE 1. Every user generates her/his transformation key and retrieving key. When a user $User_{1}$ starts to outsource decryption of a ciphertext $C$ , she/he sends the transformation key $TK_{1}$ to the cloud server and gets a corresponding transformed ciphertext $TCT_{1}$ from the cloud server. The value of the transformed ciphertext $TCT_{1}$ relies on $C$ and $TK_{1}$ . Another user $User_{2}$ also requires to outsource decryption for the same ciphertext $C$ , so she/he and the cloud server will interactively repeat the previous process to produce the transformed ciphertext $TCT_{2}$ . Since their transformation keys are different, we have

$$\begin{equation*} TCT_{1} \not = TCT_{2}.\end{equation*}$$ View Source\begin{equation*} TCT_{1} \not = TCT_{2}.\end{equation*} But the two users obtain the same plaintext after they decrypt the ciphertext $C$ . The ABE is a one-to-many encryption concept. That is to say, there are many users who belong to the same set of attributes satisfying the access policy and can decrypt the ciphertext to get the same plaintext but their transformation keys and retrieving keys are different. Accordingly, to consider the cloud server’s computation cost, it needs to compute $n$ transformed ciphertexts for the ciphertext $C$ of which the corresponding plaintext is the same if $n$ users ask for the cloud server’s outsourced decryption service, where $n$ is the number of users whose attributes satisfy the access policy.

Although we suppose that the cloud server has much strongly computation power, it seems that the existing outsourced decryption manner wastes the computing resource of the cloud server which is required to help the users to repeatedly convert the same ciphertext into the transformed ciphertexts which correspond the same plaintext respectively. Thus, an ideal solution is that the cloud server can repeatedly use the transformed ciphertext of a ciphertex $C$ for ABE-OD scheme in green cloud networks. That is to say, the cloud server computes a transformed ciphertext for the same ciphertext once which can be used by all users who satisfy the access policy.

To our best knowledge, all existing ABE-OD schemes solved the problem of reducing the computation cost of the users and preventing the cloud server from cheating for every outsourced decryption. No scheme solves the problem of efficiently reduceing the total computation cost of the cloud server besides the users at the same time.

Thus, the goal of our work is to find an efficient outsourced decryption method of ABE scheme to reduce the cloud server’s computation cost besides reducing the computation cost of users.

Firstly we recall some notions, the ABE-OD model and its security model.

A. Notation

In order to clearly understand our paper, the abbreviations used in the paper are given in TABLE 1.

TABLE 1 The Abbreviations and Notations

B. Bilinear Map

The order of two multiplicative groups $\mathbb {G}_{1},~\mathbb {G}_{2}$ is $p$ which is prime. If a map $e: \mathbb {G}_{1} \times \mathbb {G}_{1} \rightarrow \mathbb {G}_{2}$ [37] fulfills the properties below, then it is called admissible bilinear map. Let $g \in \mathbb {G}_{1}$ be a random element which is not the identity.

• Bilinear: For any elements $u,v\in \mathbb {Z}_{p}^{*},\,\,e(g^{u},g^{v})=e(g,g)^{uv}$ holds.

• Non-degenerate: $e(g,g)\neq 1_{\mathbb {G}_{2}}$ , where $1_{\mathbb {G}_{2}}$ , $1_{\mathbb {G}_{1}}$ are the identity elements of $\mathbb {G}_{2}$ and $\mathbb {G}_{1}$ , respectively.

• Computable: For every element $g'',g' \in \mathbb {G}_{1},~e(g'',g')$ is able to be computed efficiently.

Defintion 1.

$\mathbb {G}_{1},~\mathbb {G}_{2}$ and $e$ are defined above. The bilinear Diffie-Hellman (BDH) problem is:

• $e(g,g)^{\eta \theta \vartheta }$ can be calculated by a probabilistic polynomial-time algorithm (PPT algorithm) for $g,g^{\eta },g^{\theta },g^{\vartheta } \in \mathbb {G}_{1}$ . Where $\eta,~\theta,~\vartheta \in \mathbb {Z}_{p}^{*}$ is randomly selected.

For any PPT algorithm $\mathcal {A}$ , advantage of outputing $e(g,g)^{\eta \theta \vartheta }\in \mathbb {G}_{2}$ is $Adv^{\mathrm {BDH}}_{\mathcal {A}}(\tau)=$

$$\begin{equation*} \mathrm {Pr}[\mathcal {A}(g,g^{\eta },g^{\theta },g^{\vartheta })=e(g,g)^{\eta \theta \vartheta }: g,g^{\eta },g^{\theta },g^{\vartheta }\in \mathbb {G}_{1}].\end{equation*}$$ View Source\begin{equation*} \mathrm {Pr}[\mathcal {A}(g,g^{\eta },g^{\theta },g^{\vartheta })=e(g,g)^{\eta \theta \vartheta }: g,g^{\eta },g^{\theta },g^{\vartheta }\in \mathbb {G}_{1}].\end{equation*} For any $\mathcal {A}$ above, if the advantage $Adv^{\mathrm {BDH}}_{\mathcal {A}}(\tau)$ is negligible in security parameter $\tau$ , the BDH assumption holds.

E. Security Model

Firstly, we recall the definition of chosen plaintext attack (CPA) for ABE-OD in [15]. We take into account the selectively CPA security model for ABE-OD via the interactive game between $\mathcal {C}$ (a challenger) and $\mathcal {A}$ (an adversary) below.

• Init. $\mathcal {A}$ sets an access policy $\mathbb {A}^{*}$ as a challenge.

• Setup. $\mathcal {C}$ produces the public parameters $PK$ and sends them to $\mathcal {A}$ ; $\mathcal {C}$ produces the master secret key $msk$ and keeps it secret.

• Phase 1. The challenger $\mathcal {C}$ sets an empty table $T$ and an empty set $D$ initially. $\mathcal {A}$ can enquire as follows.

  • $Private~key$ query. $\mathcal {A}$ inquiries private key for any attribute set $S$ and records it in the set $D.~\mathcal {C}$ answers all private key queries on the attribute sets $S$ which cannot fulfill $\mathbb {A}^{*}$ .

  • $Transformation~key$ query. The adversary $\mathcal {A}$ inquiries the transformation key for any attribute sets $S,~\mathcal {C}$ answers all queries on them and stores them in the table $T$ .

• Challenge. In this phase, $\mathcal {C}$ randomly picks $c\in \{0,1\}$ from two same length messages $M_{0}$ and $M_{1}$ which are produced by $\mathcal {A}$ , and calculates

  $$\begin{equation*} CT^{*} = Encrypt(PK, M_{c}, \mathbb {A}^{*}).\end{equation*}$$ View Source\begin{equation*} CT^{*} = Encrypt(PK, M_{c}, \mathbb {A}^{*}).\end{equation*} At last, $\mathcal {C}$ sends $CT^{*}$ to the adversary.

• Phase 2. $\mathcal {A}$ repeats making some queries as in Phase 1.

• Guess. $\mathcal {A}$ guesses a bit $c'\in \{0,1\}$ of $c$ .

The advantage of $\mathcal {A}$ winning above game is $$\begin{equation*} |\frac {1}{2}-\mathrm {Pr}[c=c']|,\end{equation*}$$ View Source\begin{equation*} |\frac {1}{2}-\mathrm {Pr}[c=c']|,\end{equation*} here, the probability $\mathrm {Pr}[c=c']$ is taken over random coins by $\mathcal {C}$ and $\mathcal {A}$ .

Definition 3:

An ABE-OD scheme is selectively CPA-secure if the above advantage is negligible in $\tau$ for any PPT adversary $\mathcal {A}$ .

Next, we recall the definition of the RCCA-secure of the ABE-OD. Compared with the CPA-secure, the RCCA adversary $\mathcal {A}$ can also take the decryption queries besides the above game. The decryption queries are described as follows:

• Phase 1. $Decrypt$ queries. $\mathcal {A}$ inquiries the decryption on $S$ and $CT$ . The adversary $\mathcal {C}$ produces and returns the corresponding plaintext $M$ .

• Phase 2. $Decrypt$ queries. $\mathcal {A}$ repeats making the decryption queries as in Phase 1 except that $\mathcal {C}$ aborts if the corresponding plaintext is $M_{0}$ or $M_{1}$ .

The advantage of $\mathcal {A}$ winning above game is $$\begin{equation*} |\frac {1}{2}-\mathrm {Pr}[c=c']|,\end{equation*}$$ View Source\begin{equation*} |\frac {1}{2}-\mathrm {Pr}[c=c']|,\end{equation*} here, the probability $\mathrm {Pr}[c=c']$ is taken over random coins by $\mathcal {C}$ and $\mathcal {A}$ .

Definition 4.

An ABE-OD scheme is selectively RCCA-secure if the above advantage is negligible in $\tau$ for any PPT adversary $\mathcal {A}$ .

We design an ABE-OD scheme which is based on the construction of Waters [40] below.

• Setup $(1^{\tau },U)$ . On input $1^{\tau }$ and $U$ = $\{at_{1}, \cdots, at_{l} \}$ . To produce a bilinear map $e$ with groups $\mathbb {G}_{1},\mathbb {G}_{2}$ as section II, where the order of $\mathbb {G}_{1},~\mathbb {G}_{2}$ is prime $p$ . Select a random element $g \not = 1_{\mathbb {G}_{1}}$ of $\mathbb {G}_{1}$ , elements $a, \alpha \in \mathbb {Z}_{p}^{*}$ and $l$ random elements $T_{1},~\cdots,~T_{l}$ of $\mathbb {G}_{1}$ , to calculate

  $$\begin{equation*} y = g^{a}, Y = e(g,g)^{\alpha }.\end{equation*}$$ View Source\begin{equation*} y = g^{a}, Y = e(g,g)^{\alpha }.\end{equation*} Set the public parameters $PK$ = $(\mathbb {G}_{1},~g,~y,~Y,~\mathbb {G}_{2},~T_{1}, \cdots, T_{l})$ , the master key $msk = \alpha$ .

• KeyGen$(msk, PK, S)$ . It selects an element $\lambda \in \mathbb {Z}_{p}^{*}$ randomly, calculates

  $$\begin{equation*} \{K_{i}=T_{i}^{\lambda }\}_{at_{i} \in S}, K = y^{\lambda }g^{\alpha }, K_{0} = g^{\lambda }.\end{equation*}$$ View Source\begin{equation*} \{K_{i}=T_{i}^{\lambda }\}_{at_{i} \in S}, K = y^{\lambda }g^{\alpha }, K_{0} = g^{\lambda }.\end{equation*} Finally it sets $SK_{S} =$ $$\begin{equation*} (S, \{K_{i}: at_{i} \in S\}, K, K_{0})\end{equation*}$$ View Source\begin{equation*} (S, \{K_{i}: at_{i} \in S\}, K, K_{0})\end{equation*} as the user’s private key.

• Encrypt$(M,\mathbb {A})$ . It uses a message $M\in \mathbb {G}_{2}$ and $\mathbb {A}$ = $(A,\rho)$ to calculate a ciphertext, where $l \times n$ matrix $A$ and a map $\rho$ defined above. It randomly picks $\lambda _{i} \in \mathbb {Z}_{p}^{*}$ and $\vec {v} =$

  $$\begin{equation*} (\nu, \nu _{2}, \cdots, \nu _{n}) \in \mathbb {Z}_{p}^{n},\end{equation*}$$ View Source\begin{equation*} (\nu, \nu _{2}, \cdots, \nu _{n}) \in \mathbb {Z}_{p}^{n},\end{equation*} where $\nu$ is to be shared. Then it calculates: $$\begin{align*} C_{0}=&g^{\nu }, C_{M} = Y^{\nu } M,\\ (D_{1}=&g^{\lambda _{1}}, C_{1} = T_{\rho (1)}^{-\lambda _{1}}g^{aA_{1} \cdot \vec {v}}),\\&\cdots, (D_{l} = g^{\lambda _{l}}, C_{l} = T_{\rho (l)}^{-\lambda _{l}}g^{aA_{l} \cdot \vec {v}}).\end{align*}$$ View Source\begin{align*} C_{0}=&g^{\nu }, C_{M} = Y^{\nu } M,\\ (D_{1}=&g^{\lambda _{1}}, C_{1} = T_{\rho (1)}^{-\lambda _{1}}g^{aA_{1} \cdot \vec {v}}),\\&\cdots, (D_{l} = g^{\lambda _{l}}, C_{l} = T_{\rho (l)}^{-\lambda _{l}}g^{aA_{l} \cdot \vec {v}}).\end{align*} Set $CT = (C_{0}, C_{M}, (D_{1}, C_{1}), \cdots, (D_{l}, C_{l}))$ to be the ciphertext.

• Decrypt $(SK,S,CT)$ . This algorithm decrypts the ciphertext $CT$ for input $SK,~S$ and $(\mathbb {A}, CT)$ .

  When $S$ meets $\mathbb {A}$ , this algorithm calculates $o_{i} \in \mathbb {Z}_{p}^{*}$ ($i \in I$ ) which satisfies $\Sigma _{i\in I}o_{i}A_{i} = (1,0,\cdots,0)$ firstly, and then calculates the corresponding plaintext

  $$\begin{equation*} M' = \frac {C_{M}\prod \limits _{i\in I}(e(D_{i},K_{\rho (i)})e(C_{i}, K_{0}))^{o_{i}}}{e(C_{0},K)}.\end{equation*}$$ View Source\begin{equation*} M' = \frac {C_{M}\prod \limits _{i\in I}(e(D_{i},K_{\rho (i)})e(C_{i}, K_{0}))^{o_{i}}}{e(C_{0},K)}.\end{equation*}

• GenTK$_{out}(SK)$ . This algorithm uses $SK$ = $(K, K_{0}, \{K_{i}: at_{i} \in S\})$ to set $(K_{0},~\{K_{i}: at_{i} \in S\})$ as the transformation key $TK$ , and $K$ as the retrieving key $RK$ , respectively.

• Transform$_{out}(TK,CT)$ . This algorithm uses $CT$ and $TK$ to calculate

  $$\begin{equation*} TCT = \prod \limits _{i\in I}(e(D_{i},K_{\rho (i)})e(C_{i}, K_{0}))^{o_{i}},\end{equation*}$$ View Source\begin{equation*} TCT = \prod \limits _{i\in I}(e(D_{i},K_{\rho (i)})e(C_{i}, K_{0}))^{o_{i}},\end{equation*} which equals $e(g,g)^{a \nu \lambda }$ .

• Decrypt$_{out}(CT, TCT,RK)$ . This algorithm uses $CT$ , $TCT$ and $RK$ to calculate the corresponding plaintext

  $$\begin{equation*} M' = \frac {C_{M}TCT}{e(C_{0},K)}.\end{equation*}$$ View Source\begin{equation*} M' = \frac {C_{M}TCT}{e(C_{0},K)}.\end{equation*}

Note: Compared the GHW method to generate the transformation key, our approach does neither store the transformation key (if compute the transformation key offline), nor increase the overhead of outsourcing decryption (if compute the transformation key online). It is obvious for the correctness of our scheme, we omit it.

The main goal of our method is to reduce the total overhead of the cloud server for outsourced decryption of ABE scheme besides decreasing the user’s overhead of the decryption of ABE scheme when many users submit the outsourced decryption service to the cloud server. Although Green et al. [9] and Li et al. [15] used the same outsourcing method to outsource the decryption, the entities to generate the transformation key were different and subsequent works were used these two methods, respectively. We compare their methods with ours in TABLE 2.

TABLE 2 Comparison of Two Approaches

For every ciphertext, the cloud server for the GHW method [9], [15] needs to compute $(2|I| + 1)$ bilinear pairings for every outsourced decryption. Thus, the cloud server needs to compute at most $\xi (2|I| + 1)$ bilinear pairings when $\xi$ users require the outsourced decryption services. While the cloud server merely needs to compute $2|I|$ bilinear pairings for the total overhead of all outsourced decryption for our method via simply comparing their transformation keys. Because the cloud server only could check whether the transformation keys are the same or not. For example, the cloud server could setup a list $L$ which includes elements as a form $l_{CT}$ = $(CT, TK, TCT)$ ¹ for every ciphertext $CT$ . When a user submits a decryption service of the ciphertext $CT$ , the cloud server returns $TCT$ if $l_{CT}$ exists in $L$ ; Otherwise, it computes $TCT$ and returns $TCT$ to the user and records $(CT, TK, TCT)$ in the list $L$ . Thus the total overhead of all outsourced decryption for the GHW method grows with the number of users $\xi$ , but our method is independent of it. However, for the overhead of every user, their method is somewhat more efficient than our method. Because our method requires the user to compute 1 bilinear pairing and 2 multiplications over $\mathbb {G}_{2}$ , but the GHW method only requires the user to compute 1 multiplication and exponentiation over $\mathbb {G}_{2}$ . This overhead can be performed by the vast majority of devices, even some resource-constrained devices. We implement the our approach by using pairing- based cryptography library [39] on an Intel Core i5-3210M (2.50 GHz) machine with the Windows XP operating system and 4G RAM. The relative times of considered cryptographic operations are given in TABLE 3. We set $|I| = 10$ . The detailed comparison of operating time for the cloud server is in FIGURE 2.

TABLE 3 Time of Cryptographic Operations(in Milliseconds)

FIGURE 2.

Total time for the cloud server.

Show All

Then, we analyze the difference between these two methods for users further in TABLE 2. For our method, every user needs to store the private key of an attributes set satisfying the access policy, eg. $(|I|+2)|\mathbb {G}_{1}|$ bits. This is the same as [15], but Green et al.’s scheme [9] discarded the private key and didn’t design the decryption algorithm. Our method does not need to additional computation cost and storage for the transformation key and retrieving key, while every user needs to additionally store $(|I|+2)|\mathbb {G}_{1}|$ bits transformation key and retrieving key or compute $(|I| +2)$ exponentiation operations on the group $\mathbb {G}_{1}$ to generate the transformation key $TK$ once in [15].

The last column represents the entity who generates the transformation key. For flexibility, we take into account the model proposed by Li et al. [15]. For the GHW model, our approach is also useful to reduce the total overhead of the cloud server being outsourced decryption for all users and the cost generating the transformation key.

Thus, compared with the existing schemes, our approach can reduce the total overhead for the cloud server when $\xi$ ($\xi > 1$ ) users require the outsourced decryption service, and it also can reduce decryption cost for every user and generation of the transformation key.

Intuitively, our scheme is as secure as the scheme proposed by Waters [40]. For Waters’s scheme, any adversary can select an element $\lambda ' \in \mathbb {Z}_{p}^{*}$ randomly and then calculate

View Source\begin{equation*} TK'_{S}=(K'_{0} = g^{\lambda '}, \{K_{i}' = T_{i}^{\lambda '}\}_{at_{i} \in S}).\end{equation*}

• $Fact~1$ . The distribution of $TK_{S}$ for our scheme is identical to that of $TK'_{S}$ .

• $Fact~2$ . Given $TK'_{S}$ , there exists $K' = g^{\alpha }y^{\lambda '}$ but the adversary cannot compute $K'$ even if it knows the $\lambda '$ , and $(K', TK'_{S})$ is another valid private key of the attribute set $S$ .

For our scheme, any untrusted cloud server is able to obtain the transformation key from ${GenTK}_{out}$ algorithm before it will output the transformed ciphertext, which is equivalent to that the adversary can make transformation key queries obtain $TK_{S} = (K_{0}, \{K_{i} = T_{i}^{\lambda }\}_{at_{i} \in S})$ in the game of $definition~3$ , where $S$ satisfies the access policy $\mathbb {A}$ . In the light of Lemma, we have a theorem below.

Here, we extend our scheme to the stronger selectively RCCA-secure construction. We get this result by also using the technique proposed by Fujisaki and Okamoto [41]. The construction similar to [9] is described below.

• Setup $(1^{\tau },U)$ . The same as it in the aforementioned ABE-OD scheme besides selecting secure hash functions

  $$\begin{align*}&H_{2}: \{0,1\}^{*} \rightarrow \{0,1\}^{k},\\&H_{1}: \{0,1\}^{*} \rightarrow \mathbb {Z}_{p}^{*}.\end{align*}$$ View Source\begin{align*}&H_{2}: \{0,1\}^{*} \rightarrow \{0,1\}^{k},\\&H_{1}: \{0,1\}^{*} \rightarrow \mathbb {Z}_{p}^{*}.\end{align*}

• KeyGen$(msk, PK, S)$ . The same as it in the aforementioned ABE-OD scheme.

• Encrypt$(M,\mathbb {A})$ . This algorithm uses $M\in \{0,1\}^{k}$ and $\mathbb {A}$ = $(A,\rho)$ to calculate a ciphertext. It picks an element $R$ of $\mathbb {G}_{2}$ randomly and calculates

  $$\begin{equation*} \nu = H_{1}(R,M)\in \mathbb {Z}_{p}^{*}~\mathrm {and}~r = H_{2}(R) \in \{0,1\}^{k}.\end{equation*}$$ View Source\begin{equation*} \nu = H_{1}(R,M)\in \mathbb {Z}_{p}^{*}~\mathrm {and}~r = H_{2}(R) \in \{0,1\}^{k}.\end{equation*} Then it uses $\nu$ to calculate $(D_{1},C_{1}), \ldots, (D_{l}, C_{l})$ as it in the aforementioned construction, where $\nu$ is as part of the vector $\vec {v}$ . Finally it calculates: $$\begin{equation*}C_{0} = g^{\nu }, C_{R} = Y^{\nu } R, C_{M} = r \oplus M,\end{equation*}$$ View Source\begin{equation*}C_{0} = g^{\nu }, C_{R} = Y^{\nu } R, C_{M} = r \oplus M,\end{equation*} Set $CT = (C_{0}, C_{M}, C_{R}, (D_{1},C_{1}), \ldots, (D_{l}, C_{l}))$ as the ciphertext. Decrypt$(SK,S,CT)$ . This algorithm uses $SK$ , a user’s attribute set $S$ and a ciphertext $(\mathbb {A}, CT)$ to calculate $$\begin{equation*} R' = \frac {C_{R}\prod \limits _{i\in I}(e(D_{i},K_{\rho (i)})e(C_{i}, K_{0}))^{o_{i}}}{e(C_{0},K)}.\end{equation*}$$ View Source\begin{equation*} R' = \frac {C_{R}\prod \limits _{i\in I}(e(D_{i},K_{\rho (i)})e(C_{i}, K_{0}))^{o_{i}}}{e(C_{0},K)}.\end{equation*} Then it calculates $M' = H_{2}(R') \oplus C_{M}$ , and checks the following equation $$\begin{equation*} g^{H_{1}(R',M')} \overset {?}{=} C_{0}.\end{equation*}$$ View Source\begin{equation*} g^{H_{1}(R',M')} \overset {?}{=} C_{0}.\end{equation*} The algorithm outputs $M'$ if the equation above holds; Otherwise, it outputs symbol $\perp$ .

• GenTK$_{out}(SK)$ . The same as it in the aforementioned CP-ABE-OD scheme.

• Transform$_{out}(TK,CT)$ . The same as it in the aforementioned CP-ABE-OD scheme.

• Decrypt$_{out}(CT, TCT,RK)$ . This algorithm uses $CT$ , $TCT$ and $RK$ to calculate

  $$\begin{equation*} R' = \frac {C_{R} \cdot TCT}{e(C_{0},K)}.\end{equation*}$$ View Source\begin{equation*} R' = \frac {C_{R} \cdot TCT}{e(C_{0},K)}.\end{equation*} Then it calculates $$\begin{equation*} M' = H_{2}(R') \oplus C_{M},\end{equation*}$$ View Source\begin{equation*} M' = H_{2}(R') \oplus C_{M},\end{equation*} and checks the equation $$\begin{equation*} g^{H_{1}(R',M')} \overset {?}{=} C_{0}.\end{equation*}$$ View Source\begin{equation*} g^{H_{1}(R',M')} \overset {?}{=} C_{0}.\end{equation*} The algorithm outputs $M'$ if the equation above holds; Otherwise, it outputs symbol $\perp$ .

Obviously, the efficiency of the RCCA-secure construction put forward by Green et al. [9] and it of our RCCA-secure construction are similar to them in section IV.

Our method cannot only be used to construct the KP-ABE-OD scheme which is analogous to describe the GHW KP-ABE-OD scheme [9], but also can be used to construct the ABE-VOD schemes [10]–​[13]. Here, we omit these concrete constructions.

The resource is reused and on the condition of guaranteeing the quality of service the total energy consumption is reduced for performing the same task are key features in the green cloud computing. In this paper, we considered the outsourced decryption of ABE scheme in the green cloud computing. In order to reduce the total overhead of the cloud server when many users satisfying the access policy require their outsourced decryptions for the same ciphertext, we put forward a new and secure method used in the ABE-OD schemes. Our approach can reduce the overhead of both users and the cloud server. That is to say, the cloud server’s overhead only needs constant computation cost for all outsourced decryptions of the same ciphertext besides reducing the user’s computation cost. Finally, we extended our approach to a RCCA-secure ABE-OD scheme.